India:
RBI Issues Guidelines To Regulate Payment Aggregators

To print this article, all you need is to be registered or login on Mondaq.com.

Introduction

Three decades ago, India's economic liberalisation led to a
drastic change in its social and economic landscape, with the
country consistently being one of the fastest growing economies in
the world. The turn of the century saw telecom infrastructure in
India grow exponentially, resulting in faster networks and
increased accessibility to internet and data to the public. This
set the platform for the development of e-commerce in India and
resulted in an increased adoption of digital payments by buyers and
sellers alike, requiring payment service providers to innovate and
offer solutions designed to enable online merchants to seamlessly
accept digital payments. Such service providers were subject to the
supervision of the Reserve Bank of India (RBI) pursuant to a
notification dated 24 November 2009 issued by the RBI
(Intermediaries Directions), under which payment intermediaries
were required to pool the funds collected from customers in
separate 'nodal' accounts, and transfer such funds to the
relevant beneficiaries within a specified timeframe in accordance
with specified process.

As India now evolves as a 'less-cash' economy,
the RBI reviewed the existing regulations applicable to such
payment service providers in a discussion paper issued on 17
September 2019 (Discussion Paper), and highlighted a few concerns
such as: (a) lack of proper systems for reporting of payments being
routed; (b) inadequate governance practices impacting customer
confidence and experience; and (c) absence of clear delineation of
roles and responsibilities between merchants and customers,
etc.

The RBI has now introduced an entirely new regulatory framework
for payment aggregators under the Payment and Settlement Systems
Act, 2007 (PSS Act) through the 'Guidelines on Regulation of
Payment Aggregators and Payment Gateways' issued on 17 March
2020 (Guidelines). The Guidelines will be effective from 1 April
2020.

Key Highlights

- Scope of activities of payment aggregators and payment
gateways

Payment aggregators have been defined
as entities which facilitate e-commerce sites and merchants to
accept various payment instruments from the customers for
completion of their payment obligations, without the need for
merchants to create a separate payment integration system of their
own. Payment aggregators must connect merchants with acquirers, and
in the process, collect and pool customer payments, and transfer
such payments to the merchants after a given time period.

Payment gateways have been defined as
entities which provide technology infrastructure to route and
facilitate processing of an online payment transaction without any
involvement in the handling of funds involved in the payment
transaction.

Payment aggregators are required to
obtain authorisation from the RBI for undertaking payment
aggregation activities (and comply with various other requirements
on an ongoing basis, including adoption of specified
recommendations relating to information technology and data
security standards), and payment gateways have been advised to
adopt the aforesaid technology related recommendations as a matter
of good practice.

It has been clarified that the
Guidelines would not be applicable to physical payments made by
customers in cash under the 'cash on delivery' model
adopted by e-commerce sites and merchants.

The Guidelines will also be
applicable to the domestic leg of any import or export related
payments which are facilitated by payment aggregators.

Comment: While payment aggregators have been
defined asentities that facilitate e-commerce sites and
merchants to accept various payment instruments andwould
ostensibly exclude such e-commercesites and
merchantsthemselves, there are no specific exclusions
provided under the Guidelines in this regard. Further, payment
service providers which facilitate payments for goods and services
that are delivered to customers immediately or simultaneously with
the making of the payment under the 'delivery versus
payment' model, are also not expressly exempt from the ambit of
the Guidelines (which is the case under the Intermediaries
Directions).

In connection with processing of payments relating to import
and export transactions, it is unclear whether the existing
instructions issued by the RBI to banks on the arrangements entered
into by them with online payment gateway service providers (OPGSPs)
will continue. The interplay between the OPGSP framework and the
regulatory framework prescribed for payment aggregators under the
Guidelines will have to be analysed to iron out any conflicts (for
example, on timelines for settlement of payments with merchants,
and on whether the collection accounts to be maintained by OPGSPs
will be governed by the escrow mechanism prescribed under the
Guidelines).

-Authorisation process with the RBI
for payment aggregators

Payment aggregators are required to
obtain prior authorisation from the RBI. The promoters of the
applicant must fulfil the 'fit and proper' criteria
prescribed by the RBI. Applications for such authorisation must be
made to the RBI in the prescribed format. No timeline has been
prescribed for processing these applications by the RBI.

It has been clarified that licensed
banks which provide payment aggregation services as part of their
normal banking relationship would not require separate
authorisation.

Existing players are required to
submit applications before 30 June 2021 and can continue operating
their existing payment aggregation business until processing of
their applications by the RBI.

Applicants regulated by financial
sector regulators are required to additionally obtain and submit a
no-objection certificate from such financial sector regulator for
undertaking payment aggregation business.

E-commerce marketplaces which also
provide payment aggregation services are required to discontinue
such services, house the payment aggregation business in a separate
entity, and submit applications for obtaining authorisation under
the Guidelines by 30 June 2021.

Comment: The requirement for obtaining prior
RBI authorisation will directly impact existing market players in
the payment aggregation space. Such aggregators will consequently
be subject to the direct regulatory supervision of the RBI and will
have to undertake ongoing compliances as prescribed under the
Guidelines. The requirement for applicants to obtain NOCs from
financial sector regulators may also delay the registration process
for businesses which offer multiple financial services (such as
insurance products, investment advisory, etc.) through a single
corporate entity.

-Minimum capitalisation
norms

Existing market players must maintain
net worth capitalisation of at least (a) INR 150 million by 31 March 2021; and (b) INR
250 million by 31 March 2023 (and at all times thereafter).

New entrants must maintain net worth
capitalisation of at least (a) INR 150 million at the time of
submitting application to the RBI; and (b) INR 250 million at the
expiry of three years from the date of obtaining RBI authorisation
(and at all times thereafter).

Comment: An onerous minimum net worth
requirement of INR1billion was proposed in the
Discussion Paper. Based on feedback received from ecosystem
participants, the RBI has significantly reduced the capitalisation
requirement and has also provided a longer time period of three
years for businesses to achieve such net worth. This is yet another
example of the RBI being receptive to the concerns raised by the
payment industry.While existing market players have been
provided a time period up to 31 March 2021 to achieve the initial
net worth threshold of INR 150 million, the illustrative table
provided by the RBI in the Guidelines refers to a conflicting time
period linked to the earlier of: (a)the date of
submission of the application to the RBI by such existing players;
and (b) 31 March 2021. It is therefore unclear whether existing
market players who submit applications to the RBI for obtaining the
payment aggregator license before 31 March 2021, will be provided
additional time until 31 March 2021 to achieve the aforesaid
initial net worth requirement.

-Pooling of funds and settlement
timelines

While payment intermediaries are
required to route funds collected from customers through 'nodal
accounts' (which are to be treated as internal accounts of the
banks) under the Intermediaries Directions, payment aggregators
must now ensure pooling of funds collected from customers in an
'escrow account' maintained with a scheduled commercial
bank. The Guidelines specify that such escrow account should be
maintained with only one scheduled commercial bank at any point of
time. The balance in such escrow account at the end of each day
must not be less than the amounts collected by the aggregator from
customers, or the amounts payable by the aggregator to the
merchants. Payment aggregators are also permitted to earn interest
on a specified 'core portion' of the funds lying in the
escrow account, subject to specified conditions.

The Guidelines set out the purposes
for which monies can be credited into, and debited from the escrow
account (similar to the permissible credits and debits to nodal
accounts prescribed under the Intermediaries Directions). The RBI
has specifically permitted pre-funding of the escrow account by
payment aggregators or merchants, and routing of funds connected
with promotional activities, incentives, and cashbacks through the
escrow account. In addition to settling funds lying in the escrow
account to the various merchants and service providers, the
Guidelines also permit settlements into any other account on the
specific directions of the merchant.

The timelines for settlement of
payments from the escrow account have now been linked to the date
of intimation or confirmation provided by the merchants to the
aggregators on the shipment or delivery respectively, depending on
whether or not the payment aggregator is responsible for the
delivery of goods or services. Further, if the merchant and the
payment aggregator agree on retaining funds in the escrow account
until the period upto which customers can initiate refunds of
monies paid, the settlement of the funds to the merchant from the
escrow account must be made within one day from the expiry of such
period.

Operation of the escrow account by
the payment aggregators has been classified as a 'designated
payment system' under Section 23A of the PSS Act, thereby
affording additional statutory protection to the funds pooled by
payment aggregators.

Comment: The escrow mechanism outlined in
the Guidelines largely mirrors the escrow structure applicable to
issuers of prepaid payment instruments. Existing market players
would be required to move from the current nodal account structure
applicable to payment intermediaries under the Intermediaries
Guidelines to the escrow account structure prescribed under the
Guidelines. Such escrow mechanism would offer better protection of
customer funds as it would insulate the e-commerce sites and
merchants against the risk of insolvency or liquidation of banks or
payment aggregators. This will ensure that the arrangements entered
into by the payment aggregators with its clients are not adversely
affected in situations similar the recent moratorium imposed by the
RBI in connection with Yes Bank which impacted many fintech
businesses.

The requirement for payment aggregators to maintain the
escrow account with a single bank may negatively impact the
aggregators if the operations of such bank are restricted due to
imposition of a regulatory moratorium or similar actions. The RBI
should either permit aggregators to use multiple banks or provide
clear provisions to ensure that operations of aggregators do not
abruptly come to a standstill owing to actions against one
bank.

The regulatory approach followed by the RBI with respect to
non-payment related activities ofpayment aggregators is
unclear as on one hand, the RBI requires e-commerce marketplaces to
separately house their payment aggregation related activities, but
on the other hand, while stipulating the settlement timelines for
payment aggregators, the RBI appears to acknowledge the involvement
and responsibility of such aggregators in the shipment and delivery
of goods and services purchased by the customers on such
marketplace platforms.

Payment aggregators would be subject
to periodic disclosure and reporting requirements prescribed under
the Guidelines, including annual certifications on net worth,
monthly reporting of transactions processed through various payment
instruments, quarterly reporting of escrow account balance, and
details of debits and credits with respect to the escrow
account.

Payment aggregators must have a board
approved policy for merchant onboarding, conduct background checks
on merchants and ensure that they do not facilitate payments for
sale of fake, counterfeit or prohibited products.

Payment aggregators are required to
disclose on their website and mobile application comprehensive
information regarding the policies, customer grievance, privacy
policy, and other terms and conditions of the merchants onboarded
by them.

The Guidelines prescribe that any
data or credentials relating to payment cards utilised by customers
for making payments must not be saved on the merchant sites, on the
payment aggregators' database or even on the server accessed by
the merchant.

Payment aggregators would also be
responsible to check for PCI-DSS and PA-DSS compliances of the
merchants and must have a board approved policy for information
security. The RBI has also prescribed various requirements to be
followed by payment aggregators with respect to its information
technology systems and related security measures.

Payment aggregators must comply with
the Prevention of Money Laundering Act, 2002 and the regulations
issued by the RBI with respect to know-your-customer,
anti-money laundering and combating financing of terrorism.

Payment aggregators should have a
formal customer grievance redressal and dispute management
framework, and appoint a nodal officer to handle regulatory and
customer grievance functions.

Comment: The various ongoing compliances
prescribed by the RBI under the Guidelines will increase the
compliance burden on payment aggregators. The restriction on saving
customer card data by the merchants as well as payment aggregators
may create friction points for customers as they may not be in a
position to pre-fill card details on online platforms, and might
have to re-enter the card number and related details for each
transaction. The requirement for payment aggregators to ensure
PCI-DSS and PA-DSS compliances of the infrastructure of merchants
on-boarded by them may add to the technical compliances to be
undertaken by them, and it remains to be seen whether this will
find widespread acceptance, particularly with respect to smaller
merchants. Disclosure of merchant-wise payment transaction details
processed by payment aggregators, if requested by the RBI, may
ultimately lead to disclosure of GMV figures to the RBI.

Concluding Remarks

The Guidelines are in tune with India's overall push for
digital payments and its vision of a 'less-cash'
economy. The Guidelines provide additional security and protection
to customers of e-commerce sites and merchants by ensuring
increased accountability in the operations of payment aggregators.
However, the Guidelines are unclear on a few aspects including
interplay with payments processed under the 'delivery
versus payment' model. Further, since the Guidelines do
not expressly repeal the Intermediaries Directions, one would
assume that intermediaries other than payment aggregators (such as
marketplace platforms) would continue to be governed under the
Intermediaries Directions and route customer funds collected by
them through nodal accounts. Regulatory clarifications on some of
these aspects would be required and one hopes that the RBI will
give adequate time to the ecosystem participants to structure their
business models and make applications post such clarifications.
Overall, the Guidelines are a positive step towards bringing
transparency and accountability in the digital payments space.

The content of this document do not necessarily reflect the
views/position of Khaitan & Co but remain solely those of the
author(s). For any further queries or follow up please contact
Khaitan & Co at legalalerts@khaitanco.com

The Reserve Bank of India (RBI) on 17 April 2020 introduced additional regulatory measures to alleviate the impact of COVID-19 pandemic on the Indian economy with a focus primarily on the lending institutions.

The Hon'ble Supreme Court (SC), in its recent decision in the matter of M/s Hindon Forge Pvt. Ltd. & Anr. v State of Uttar Pradesh [(Civil Appeal No 10873 of 2018 along with Civil Appeal No 10874 of 2018)] ...

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.

To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

Please set your data preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access

No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq: